Develop and implement responses to declared incidents according to pre-defined procedures.
Write procedures ahead of time to use when responding to incidents. These procedures will help guide the development and implementation of responses during an incident. Responses should prevent or contain the impact of an incident while it is occurring or shortly after. The type of response will vary depending on the incident. Response actions might include: * stopping or containing the damage (e.g., by taking hardware or systems offline) * communicating to users (e.g., avoid opening a specific type of email message) * communicating to stakeholders (e.g., corporate management) * implementing controls (e.g., updating access control lists). Example You are in charge of IT operations for your company. In this role, you manage all declared incidents. You have procedures in place for handling different types of declared incidents. For example, when you identify a phishing email incident, you have a process in place. You notify your company about the suspicious email and what to do when you receive it.
CERT RMM V1.2 Responding to an organizational incident is often dependent on proper advance planning by the organization in establishing, defining, and staffing an incident management capability. Responding to an incident describes the actions the organization takes to prevent or contain the impact of an incident on the organization while it is occurring or shortly after it has occurred. The range, scope, and breadth of the organizational response will vary widely depending on the nature of the incident. Incident response may be as simple as notifying users to avoid opening a specific type of email message or as complicated as having to implement service continuity plans that require relocation of services and operations to an off-site provider. The broad range of potential incidents requires the organization to have a broad range of capability in incident response.
CIS Controls v7.1 19.1
NIST SP 800-53 Rev 4 IR-4
NIST CSF v1.1 RS.RP-1
CERT RMM v1.2 IMC:SG4.SP2
IR.2.096.[a] the organization has an incident declaration process; and
IR.2.096.[b] the organization has predefined procedures that address incident response activities.